Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069

Key Points:

• Google has attributed the supply chain compromise of the popular Axios npm package to UNC1069, a financially motivated North Korean threat actor known for cryptocurrency-related attacks.
• The attack involved hijacking the package maintainer's npm account to push trojanized Axios versions containing a malicious dependency "plain-crypto-js," which installs a cross-platform backdoor targeting Windows, macOS, and Linux.
• The backdoor, WAVESHAPER.V2, is an updated version of a previously UNC1069-linked malware, supporting multiple commands and communicating with its command-and-control server using JSON.
• Indicators of compromise include the presence of "plain-crypto-js" in node_modules, malicious processes, and connections to the C2 domain sfrclak[.]com; mitigation involves auditing dependencies, pinning safe package versions, isolating affected systems, and rotating credentials.
• Security experts warn this attack represents a sophisticated, scalable operation designed for maximum developer reach, urging organizations to audit all package managers and treat exposed secrets as compromised.